When it comes to passwords, it always made sense to choose complexity so your password would be harder to steal. As per NIST, it does seem to be the case anymore.
What is NIST?
NIST is the National Institute of Standards and Technology at the U.S. Department of Commerce. The NIST Cybersecurity Framework helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data.
What are the New Password Recommendations?
- Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
- Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
- Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
- Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
- Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
- Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
- Verifiers SHALL verify the entire submitted password (i.e., not truncate it).
To summarize these points, the biggest shift in this new recommendation is NIST emphasizes password length. The mandatory complex characters is no longer required! Research shows that longer passwords are harder to crack, even if they don’t include a variety of character types. 8 characters is recommended by NIST but 16 characters or more is better for added security.
Consider using a passphrase that is easier to remember than a complex password. For example, “TestTingWonTwoTree” is better than”C@sdvj!4xy0“. Make sure to add a personal twist to your passphrase to make it unique and not too obvious to crack.
Say goodbye to mandatory password changes! Having to change your password every 30/60/90 days can be tedious and a lot of times users will use the same password and may change or add a character. NIST has realized that forcing users to change passwords frequently doesn’t necessarily improve security. No more “Password123!” followed by “Password 124!” every few months.
NIST supports the use of Password Managers and permit claimants to use the “paste” functionality when entering a password to facilitate their use. Password managers have been shown to increase the likelihood that users will choose stronger passwords, particularly if the password managers include password generators,
The new NIST guidance recommends CSPs immediately “suspend, invalidate or destroy” compromised password and login information following the detection of an account compromise. Organizations are also encouraged to provide users with backup authentication methods to regained secured access to their accounts. The guidelines also stress the importance of multi-factor authentication (MFA) as an additional layer of security.
Review the new NIST guidelines here.